introduction to amazon cloudfront - pop-up loft tel aviv
TRANSCRIPT
Amazon’s Content Delivery Service
Amazon CloudFront
Tom Witman, Global Business Development ManagerAWS Edge ServicesSeattle, WA
CloudFront: Content Delivery Network
• Highly Scalable Distributed Caching Network• Global Infrastructure• Dynamic, Static, and Streaming Object Delivery• Highly Secure• Robust Analytics• Self Service • Priced to Minimize Cost
Content Delivery Applies to any Use Case
• Media and Entertainment• Gaming• eCommerce• Digital Advertising• Software Downloads• Mobile• Dynamic Websites and Applications
CloudFront and the AWS Ecosystem
• Integrates with AWS Resources– Rt53 DNS – Amazon Elastic Transcoder– S3 Storage– EC2 Compute and Elastic Load Balancing – Marketplace SaaS and SI partners– Mobile Hub
• Improves Scalability of otherAmazon Resources
• Discounts on Data Transfer from Amazon S3 & EC2 to CloudFront
CloudFront and the Hybrid Ecosystem
• Origins Can be Hosted on Site or in the Cloud– Custom origins for static / dynamic content– Fine grained control for custom origins, pass through headers– SSL, TLS session management between edge / origin
• Improves Scalability
CloudFront Security and Compliance Features • Compliance
• PCI DSS Compliance• ISO 9001, 27001, 27017, 27018
• Security Enhancements to your infrastructure• Signed URL• Signed Cookies• Enforce HTTPS to origin• Support for TLSv1 .1 and TLSv1.2 between edge and origin• Add/Modify Request Headers Forwarded From CloudFront to Origin• Integration with AWS Certificate Manager• Integration with AWS WAF (web application firewall)• Geographic Restriction
What You Look for in a CDN
• Performance: deliver content with low latency and high availability
• Reach and Functionality: provide global network of edge locations to optimally reach a wide audience
• Cost: ensure financial feasibility for scalable bit delivery
Common Features for Web ApplicationsVideo Streaming • RTMP (Flash) and HTTP(S) delivery• Adaptive Bitrate Streaming (HLS, HDS, Smooth, MPEG-DASH)
Security• Private Content• SSL, TLS/SNI Support• Advanced SSL (perfect forwarding, OCSP stapling, session tickets)• Geo Restriction• AWS WAF• SSL Enforcement to Origin• Customer Headers from Edge to Origin
Content Management • AWS Management Console• Full control via APIs• Programmatic Invalidation• Online Usage Reports and Charts• Industry-compliant, detailed Access Logs• GZIP Comperession
Dynamic Content Acceleration• Low Minimum Content Expiration Periods
(TTL=0)• Multiple Cache Behaviors • Multiple Origin Servers• CORS Support• Origin Connection Protocol• Viewer Connection Protocol• Zone Apex Support• Query String & Cookie Support• Put/Post HTTP Verb Support• Full VARY Support• User Agent Detection (Mobile/Desktop)• Geo Targeting• Multi-Site Hosting• Wildcard Invalidations• Persistent TCP Connections
8
CloudFront Key Infrastructure Features
Video StreamingOn-demand & Live StreamingRTMP (Flash) and HTTP(S)
Adaptive Bitrate Live StreamingMicrosoft Smooth Streaming
Whole Site DeliveryStatic & Dynamic Content
Mobile Detect, CORS SupportMultiple Cache Behaviors
Multiple Origin Servers
SecurityPrivate Content (Signed URLs)
Custom SSL (Dedicated IP & SNI)Geo Restriction
HTTP to HTTPS Redirect
High Availability99.9% SLA
Automatic Origin FailoverCustom Error Pages
Serve Stale Content when Origin unavailable
High PerformanceLatency Based Routing
TCP OptimizationPersistent Connections
EDNS Client Subnet
Low TCOPay for use
Commit-Based lower pricing Price Classes
Preferential Pricing for AWS origins
CloudFront Dynamic Site Performance
Dynmaic Delivery: Cloudfront Dynamic Dleivery: Origin0
200
400
600
800
1000
1200
Dynamic Site Performance (ms)*
95th Percentile75th Percentile50th Percentile25th Percentile10th PercentileMean
*Data from Cedexis, Last 5 Days, DSA Time Measure of the Ireland region
Performance: Industry Leading Latency and Availability
Cloud-front
CDN B CDN C CDN D CDN E97
97.5
98
98.5
99
99.5
100
99.48399.373
99.03798.848
98.056
Global Availability*
CDN E Cloudfront CDN B CDN D CDN C0
100
200
300
400
500
600Latency (Response Time)**
ms
*Data from Cedexis, Last 30 Days, Availability measured over All Cedexis Regions. **Data from Cedexis, Last 30 Days, Response Time Measure of the United States.
AWS Global Infrastructure – Spring 2016AWS Regions and Availability Zones: 11 Regions, 30 Availability Zones
AWS Content Delivery Network: 54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
North AmericaCities: 15PoPs: 21
South AmericaCities: 2PoPs: 2
Europe/Middle East/Africa
Cities: 10PoPs: 16
Asia PacificCities: 11PoPs: 15
Edge location
2016 Amazon Web Services Confidential
Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
CloudFront
Amazon Route 53
AWS WAF
2016 Amazon Web Services Confidential
North AmericaCities: 15PoPs: 21
Ashburn, VA (3)Atlanta, GAChicago, IL
Dallas/Fort Worth, TX (2)Hayward, CA
Jacksonville, FLLos Angeles, CA (2)
Miami, FLNew York, NY (3)
Newark, NJPalo Alto, CASan Jose, CASeattle, WA
South Bend, INSt. Louis, MO
Amazon CloudFront, Amazon Route 53, and AWS WAF Locations54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
South AmericaCities: 2PoPs: 2
Rio de Janeiro, Brazil
São Paulo, Brazil
Europe / Middle East / Africa
Cities: 10PoPs: 16
Amsterdam, The Netherlands (2) Dublin, Ireland
Frankfurt, Germany (3)London, England (3)
Madrid, SpainMarseille, France
Milan, ItalyParis, France (2)
Stockholm, SwedenWarsaw, Poland
Asia PacificCities: 11PoPs: 15
Chennai, IndiaHong Kong, China (2)Manila, the PhilippinesMelbourne, Australia
Mumbai, IndiaOsaka, Japan
Seoul, Korea (2)Singapore (2)
Sydney, AustraliaTaipei, Taiwan
Tokyo, Japan (2)CloudFron
tAmazon Route 53
AWS WAF
Edge location
AWS Region
2016 Amazon Web Services Confidential
Elastic Transcoder Region
2016 Amazon Web Services Confidential
Amazon Elastic Transcoder Regional Deployments
Six Regions
US East (Virginia)US West (N. California)US West (Oregon)EU (Ireland)Asia Pacific (Singapore)Asia Pacific (Tokyo)
POST /2012-07-01/distribution HTTP/1.1 Host: cloudfront.amazonaws.com Authorization: AWS authentication string Date: time stamp Other required headers <?xml version="1.0" encoding="UTF-8"?> <DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2012-07-01/">
Manage Your Content Your Way
API
Consolemanagement and reporting
CloudFront Pricing: Competitive, Flexible Options
• On-demand, pay for use elastic pricing
• Same pricing for Static and Dynamic Content
• Usage Commitment Options• GB delivery model• No Platform Fees
Data Transfer Economies of Scale
Public Rates Private Rates
Data Transfer
Pric
e pe
r GB
CloudFront Pricing: Price Classesperformance / cost optimization on demand
All54 PoPs, 38 Cities, 19 Countries
Best Coverage
North America + EuropeLowest Cost36 PoPs, 25 Cities, 10 Countries
North America + Europe + Asia Great Coverage + Optimized
Cost50 PoPs, 34 Cities, 17 Countries
Deliver Content Globally and Control Pricing to Fit Performance and Cost Objectives
Customer Support: Help When You Need It
• Enabled Self Service
• AWS Solution Architects and CloudFront Sales
• 24 Hour AWS Customer Service
• Dedicated Support Engineers
• Fast Response Times (<15 mins)*
* Depends on level of Support (http://aws.amazon.com/premiumsupport/)
The Nitti Gritty: How It Works
General Use CasesStatic Content Dynamic ContentCustom OriginsBehaviorsError PagesInvalidations
Media and EntertainmentAsset Download and Progressive Video Playback and DownloadStreaming Media – Adaptive Bitrate Video on Demand (VoD)Streaming Media – Live DeliveryDigital Publishing
Dynamic
StaticVideo
Deliver All of Your Content: whole site delivery
User Input
SSL
Automatic Scalability
CloudFront scales with demand while reducing load on your origin
User A
User B
User C
Request A
OriginCloudFront
Elastic Load Balancing
Dynamic Content
Amazon EC2
Static Content
Amazon S3 Custom Origin
OR
OR
Custom OriginAmazon CloudFrontexample.com
*.jpg
*.php
Reference Architecture: OverviewStatic and Dynamic Content Delivery
Reference Architecture: HTTP METHODSRequests to the CloudFront edge
HEADIdentical to GET except that the server MUST NOT return a message-body in the response. Used for obtaining meta-information about the entity implied by the request without transferring the entity-body itself
POSTUsed to request the origin server to accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line.
PUTThe fundamental difference between the POST and PUT requests is reflected in the different meaning of the Request-URI.
PATCHUsed to apply partial modifications to a resource
DELETERequests that the origin server delete the resource identified by the Request-URI
OPTIONSRequest for information about the communication options available on the request/response chain identified by the Request-URI
GETRequests for content from the cache HTTP, HTTPS and RTMP
Reference Architecture: Determining Content SourceOverview of Rt53 Intelligent Routing Options
Customer Location
1
53
Request to www.mysite.com
Location A: Resolve to xyz.cloudfront.netLocation B: Resolve to IP address of EC2Location C: Resolve to IP address of S3Location D: Resolve to IP address of non-AWS end point
3
Examine geo source, weights, latency, health checks
Elastic CloudCompute S3CloudFront Non-AWS End Point
1
2
3
44 Return IP Address based on precedent criteria
2
5 If request sent to CloudFront, then CloudFront determines best PoP to send requestor to based on the CDN rules
5
Reference Architecture: Overview – Media/EntertainmentStreaming in Front of Your Origin
• Deliver Static and Dynamic Content
• Offload origin traffic to CloudFront CDN
• Serve LIVE Event Traffic to Large Crowds
• Serve VOD Media to any device
• Alter content based on User Agent
• Secure connections via SSL• Authenticate via signed URLs• Supports 3rd Party DRM
Static ContentServed from S3
*.jpg, *.m3u8, *.ts, *.css
Dynamic or Static ContentServed from ELB and/or EC2
*.php, *.js, *m3u8, *.ts
CloudFront
Reference Architecture: CloudFront Origin SelectionOrigin Selection Based on Intelligent Behavior Rules
Customer Locationwww.mysite.com
Path Pattern Matching/*.jpg; /*.php etc.
GET http://mysite.com/images/1.jpg to ORIGIN AGET http://mysite.com/index.php to ORIGIN B
GET http://mysite.com/web/home.css to ORIGIN CGET http://mysite.com/* (DEFAULT) to ORIGIN D
Origin A: origin.mysite.com
Origin B: origin2.mysite.com
Origin C: origin3.mysite.com
Origin D: origin4.mysite.com
Path Pattern Matching
/*.php
/images/*.jpg
/web/*.css
/*.* (DEFAULT)
Reference Architecture: HTTP Headers for Dynamic ContentVARY content served based on HTTP HeadersContent delivered to a request may vary depending on the request headers that were passed in the GET request. The header is used as a cache key and passed onto origin for the appropriate content. Common headers supported are listed:
Header Use of HeaderAccept Determine which content types are acceptable for the responseAccept-Charset Determine which Character sets that are acceptableAccept-Datetime Determine which version in time is acceptableAccept-Language Determine the list of acceptable human languages for responseAuthorization Used for credentials for HTTP authenticationCloudFront-Forward-Proto HTTP protocol detected to vary content based on session security (SSL vs. Non SSL)CloudFront-Is-Desktop-Viewer CloudFront user agent (UA) detected and set to desktop based on mappingCloudFront-Is-Mobile-Viewer CloudFront user agent (UA) detected and set to mobile based on mappingCloudFront-Is-Tablet-Viewer CloudFront user agent (UA) detected and set to tablet based on mappingCloudFront-Viewer-Country CloudFront geo detected country codeHost domain name and TCP port of the serverOrigin used for CORS, sets allowed domain for origin to honor and share assetsReferrer sends URL/URI to origin to log referrers
*Note: custom headers are also supported, not just those listed here
Reference Architecture: CloudFront HTTP Headers ExamplesVARY content served and cached based on Headers in the GET request
1) Vary response based on User Agent. Example: Desktop, Mobile, Tablet
2) Vary response based on Language. Example: user would prefer Danish but will accept British English and other types of English. (Accept-Language: da, en-gb;q=0.8, en;q=0.7 )
3) Vary response based on Protocol. Example: CloudFront-Forward-Proto detected and customer sent different content based on connection type.
Mobile User (CloudFront-Is-Mobile-Viewer)
Desktop User (CloudFront-Is-Desktop-Viewer)
Language Preference (Accept-Language)
1 1
2
3
CloudFront-Forward-Proto: SSL , non-SSL
Reference Architecture: CloudFront Signed URL (Authentication)Protecting Content from Unauthorized Access
Customer Location
http://mysite.com/asset.mp4?&Expires=1357034400 5&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZr vDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6&Key-Pair-Id=APKA9ONS7QCOWEXAMPLE
1) Request for Content first goes to an authentication server to validate user and generate a signed URL.
2) A signed URL is sent back as a 302 redirect from the auth server
3) Request to CloudFront made with signed URL, authentication with policy statement, and verification of content freshness (hasn’t expired)
4) CloudFront authenticates policy statement for signed URL, sets cache key, and sends content to requestor
EC2 Auth Server
Send content to requestor via cache edge
www.mysite.com/asset.mp4
EC2 Auth Server
Authenticate URL, Policy Statement, and Expiration
CloudFront Logic
CloudFront Edge Cache
Reference Architecture: CloudFront Routing RulesLatency Based PoP Selection, Geo-Restriction, Price Classes
1) Request routed based on latency. Example: Customer in Rio routed to least latent node: Rio De Janeiro PoP location
2) Request denied based on geo restriction. Example: Customer in restricted country, access denied and custom error page sent back.
3) Request routed based on Price Class. Example: Price Classes set up to restrict content delivery to nodes in N.America and Europe for cost savings.
Send content to requestor via cache edge
Rio De Janeiro CloudFront Edge Cache
Content blocked due to geo rules
CloudFront Edge Cache Denies
Request
X
Rio De Janeiro Customer Location
Restricted Customer Location
Custom Error Page Sent for a 403
Miami CloudFront Edge CacheRio De Janeiro Customer Location
Content served from Price Class enabled node
CNAME = xyz.cloudfront.net
CloudFront
53
Load Balance
Non-AWS End PointCustom Origin or Alternative CDN
Reference Architecture: Load BalancingLoad Balance between your CDN providers using Rt53
Customer Locationwww.mysite.com
Weighted Round Robin RoutingCNAME = xyz.cloudfront.net, weight = 0-255CNAME = xyz.somecdn.com, weight = 0-255
CNAME = xyz.somecdn.com
Latency Based RoutingCNAME = xyz.cloudfront.net, latency metricCNAME = xyz.somecdn.com, latency metric
Fail Over RoutingCNAME = xyz.cloudfront.net, PRIMARY
CNAME = xyz.somecdn.com, SECONDARY
Geolocation RoutingCNAME = xyz.cloudfront.net, LOCATION 1…LOCATION XCNAME = xyz.somecdn.com, LOCATION 2…LOCATION Y
origin.mysite.com
CloudFront
53
Load Balance
Non-AWS End PointCustom Origin or Alternative CDN
Reference Architecture: Load Balancing Cache FillsLoad Balance between your ORIGINs to fill the CloudFront Caches
Customer Locationwww.mysite.com
Weighted Round Robin RoutingCNAME = xyz.cloudfront.net, weight = 0-255CNAME = xyz.somecdn.com, weight = 0-255
Latency Based RoutingCNAME = origin.mysite.com, latency metricCNAME = origin.mysite.com, latency metric
Fail Over RoutingCNAME = origin.mysite.com, PRIMARY
CNAME = origin.mysite.com, SECONDARY
Geolocation RoutingCNAME = origin.mysite.com, LOCATION 1…LOCATION XCNAME = origin.mysite.com, LOCATION 2…LOCATION Y
EC2S3 ELB
EC2S3 ELB
us-east
us-west
origin.mysite.com
origin.mysite.com
origin.mysite.com
CNAME = xyz.cloudfront.net CloudFront
EC2S3 ELB53
Load Balance via DNS
Non-AWS End PointCustom Origin or Alternative CDN
Reference Architecture: Intelligent RoutingUsing CloudFront with Rt53: In front of the CDN and the Origins
Customer Location
www.mysite.com
53
For Cache Fills: Rt53 Load Balances between origins based on weighted round robin or based on geo determination
CloudFront selects the optimal edge location to serve content from based on Latency, Price Class
CloudFront POP LocationsCustomer
Requests/Receives content from optimal
CloudFront PoP
Request made for content, DNS resolved to a CloudFront CNAME and customer request
sent to CloudFront1
4 2
3